Search form

BLOGS

Cleartrip.com Infected With Blackhole Exploit Kit.

Uncategorised

Cleartrip is used for booking flights, hotels and IRCTC Indian Railways tickets in India. It is a leading online booking portal. Recently, I was searching flight information on www.cleartrip.comand my desktop antivirus delivered the following alert:

Let’s take a look at a wireshark capture taken while visiting the page.

Packet capture snapshot of cleartrip.com

The page content of "hxxp://www.cleartrip.com/eadserver/delivery/afr.php?zoneid=43&target=_blank&cb=0.027297518110020458" was broken, but after a bit of searching on the site, I was able to ultimately find the same malicious code with intact de-obfuscation logic.

For further analysis, we’ll take a look at page content. A snippet of the code is shown below:

Code source of blocked page

Much of the content is obfuscated, so we’ll need to first de-obfuscate it in order to analyze it further.

Let’s look the obfuscated code delivered this time:

Obfuscated code souce.

De-obfuscation of the aforementioned code reveals JavaScript which was creates a 1x1 pixel iFrame pointing to “hxxp://trafficgoodster.info/banners.cgi?advert_id=1&banner_id=1&chid=341aa8fca26bcff7830499c1c5f8e359”

This URL displays a .gif file, but if you look carefully, you will see that an iFrame is also delivered. It is this URL (highlighted above), which points to the Blackhole Exploit Kit.

The .info domain used in the iframe is registered for one year and was registered only recently. Naturally, newly registered domains tend to have higher risk as they attackers often register new names for a single attack. Let’s do a whois query on the domain: